Overview

This article explains how to perform a distributed deployment of the Cisco Umbrella roaming client for Windows from Windows Server 2003, 2008 and 2012 using a Group Policy Object (commonly known as a GPO). There are two different deployment options which are documented and supported by Cisco Umbrella.

The first type of install, Application Install, requires using a special tool SuperORCA to edit the installer and embed the parameters for installation within the installer itself. The second type of install, Scheduled Task, requires creating a batch script to pass the installation parameters to the installer upon execution.

Before performing a distributed installation, we recommend reading about the optional customizations available at the time of installation.

Table of Contents

Application Install (Recommended) GPO or SCCM

Using SuperOrca or Microsoft ORCA, you can embed the organization-specific data into the .MSI file, which allows the Roaming Client to be distributed as a standalone install file, rather than need to factor in the OrgInfo.json file as described in the Scheduled Task method.

This article outlines how to create an MSI installer for the Roaming Client with the installation command line parameters embedded in the installer.

SuperORCA is a standalone MSI editor that's light weight and easy to use. If you prefer using Microsoft ORCA, the instructions are basically identical.

By following the steps below, you will have a ready-to-ship Roaming Client .MSI install file named Setup.msi that can be deployed as an application.

It should look like this after adding all three properties and their matching values:

Navigate to File > Save As and name the file Setup_new.msi. Do not save over the existing filename as this is very likely to corrupt the MSI file!

Then rename Setup.msi to Setup_old.msi, and rename Setup_new.msi to Setup.msiThe new Setup.msi file now contains the data from OrgInfo.json; thus, you will not need to specify this information during installation.Note: The .msi file must be named Setup.msi to work correctly.

Deploy the Umbrella roaming client using your preferred deployment method, without worrying about the command-line based parameters and values needed with the GPO/command line method.A Microsoft article discusses using GPO to deploy applications, which is one way you can deploy this new .MSI file. This article (3rd party) may also help troubleshoot. NOTE: Additional modifications to the .MSI beyond those outlined above are notsupported and could break the installer.

If you see error 1274 when installing from a shared drive:

The GPO is applying before the network share comes up to the local machine. You're seeing the issue with asynchronous policy processing.

In a GPO that applies to that computer, add the following setting:Computer Settings > Administrative Templates > System > Logon > Always wait for the network at computer startup and logon - Enabled

After you set that (and allow the GPO to replicate if you're in a multi-DC environment), do a "gpupdate /force /boot" on the subject PC. It will reboot and you should see the software installation occur.

The "Always wait for the network at computer startup and logon" slightly slows down the startup and logon because all GPO extensions are allowed to process, but the upside is that all GPO extensions are allowed to process.

In a Group Policy applied to these workstations, navigate to Computer Configuration > Policies > Administrative Templates > System > Group Policy.

In the window that opens, right-click and choose New > Text Document and name the file InstallUmbrella.bat.

Right-click the InstallUmbrella.bat file and choose Edit.

Populate the file with the following data, replacing the ORG_ID, ORG_Fingerprint and USER_ID with the values found in the OrgInfo.json file (included in the .zip file downloaded from the dashboard). Save the file when you're done.

Note: \\SERVER\ should be replaced with the full network path to the Setup.msi file. Please make sure the share name is correct and the client computers have sufficient permissions access to the share.

In the Startup Properties dialog box, click Add.

In the 'Add a Script' dialog box, click Browse, select the file IstallUmbrella.bat and click Open.

Click OK > Apply > OK.

This script will run on every subsequent start-up unless you remove it after the initial deployment. The script checks to ensure that the Umbrella roaming client is present and if it is, it will not be reinstalled. However, if the Umbrella roaming client was removed or does not exist, it will install it. It is safe to leave the startup script permanently in place to easily deploy to new computers joining the domain.

Windows 2008

This article outlines the steps required to use a GPO to deploy to Windows 7 (and above) from Windows Server 2008 to do so immediately. Depending on your network, you may take steps different than those outlined to deploy to different sets of clients, such as Windows XP.

The Setup.msi and OrgInfo.json files found in the Umbrella roaming client .zip file need to be copied to all target computers or placed in a network share (a UNC Path) accessible by the target computers. To share the file on your network, use the File and Storage Services role/settings or a Network Share Item to make the Setup.msi and OrgInfo.json files accessible.

To use the File and Storage Services role, add the role to the server if not already installed. Then select File Services > Share and Storage Management and from the right side, select Provision Share and share the MSI file.

Once you've placed the Setup.msi file on a network share (UNC Path) accessible by target computers (or distributed the Setup.msi file to all remote computers directly), proceed with creating the GPO.

In the Action tab, choose Immediate Task (At Least Windows 7). If you'd like to schedule it instead, choose Scheduled Task(At Least Windows 7) and set your schedule.Next, you'll be taken to tabs outlining how to setup the task.

On the General tab:

Enter a task name to identify the task easily.

Click Change User or Group to select the DOMAIN\Administrator or equivalent level account that will be used When running the task.

Select Run whether user is logged on or not.

Check Run with highest privileges.

Set Configure forto Windows 7.

On the Actions tab:

Click New.

Set Action to Start a program.

Under Program/script add:

msiexec.exe

Under Add Arguments (optional) specify /i (install), then replace Share_location with the network location (UNC path) of the Setup.msi and OrgInfo.json files. (If copied to the local machine, provide the local path). For the purpose of this example screenshot, the location of the files is a server named "egon" on a share called "Share". Then specify /qn which means the end user will not be prompted to complete the installation. Remember that both Setup.msi and OrgInfo.json must be in the folder in question.

/i \\ServerName\Share_Name\Setup.msi /qn

This is also where you would want to add any Optional Parameters to change the default behavior of the Umbrella roaming client (to hide the User Interface and/or hide the Roaming Client from Add/Remove Programs).

Use exactly the same location of the Setup.msi file and OrgInfo.json file in the Start In (optional) field. If the same location is not utilized here, the installation will fail. Click OK.

On the Common tab:

Check Apply once and do not reapply.

Depending on your network and personal preferences, check any remaining options in remaining three tabs: Conditions, Settings, and Common.

Click OK to complete and save the task.

Force an immediate group policy update by issuing the following command on the Domain Controller's command prompt:

gpupdate /force

Once the update reaches the endpoint computers, they should begin to take action to pull down the Setup.msi/OrgInfo.json from the network share and run it according to the specified switches given earlier.